MUUGLines The Manitoba UNIX User Group Newsletter

June 2011 Volume 23 No. 10

Next Meeting: June 14th, 2011 Upcoming Meetings Topic: Practical Security (Sean Cody) September 13th, 2011 For our last meeting of the season, Sean Cody will be We’ll start the 2011/2012 year with our first meeting speaking on Practical Security. The term “security” is on Tuesday, September 13th. Stay tuned (and make thrown around quite readily and its meaning has been sure you’re subscribed to one of the mailing lists) for diluted to being a product adjective as opposed to a details on that month’s presentation. process or mind set. This presentation will go over the basic theory of computer security and will attempt to Kernel 3.0-RC1 Announced. equip you with the knowledge to properly evaluate computer security, products and mitigation strategies. As originally noted in a posting by Linus (http://lwn.net/Articles/445222/) the Linux kernel Where to find the Meeting branding is jumping a few points to 3.0. Meetings are held at the No, marketing firms aren’t searching for a new IBM offices at 400 internet buzzword. The kernel major revision number Ellice Ave. (between is getting renumbered to 3. Linus explains the Edmonton and Kennedy reasoning for the jump as “I can no longer [sic] Streets). When you comfortably count as high as 40.” arrive, you will have to sign in at the reception No big changes are actually expected. As usual, there desk. Please try to will be some driver updates and random fixes. Code arrive by about 7:15pm, regarding VM’s and VFS has been cleaned up some so the meeting can start as well. Duplicate code and out-of-tree patches for promptly at 7:30pm. ARM architecture has been improved somewhat, and will be ongoing. Limited parking is available for free on the street, either on Ellice Ave. or The goal is to have a “nice stable 3.0” release instead on some of the intersecting streets. Indoor parking is of aiming for typical problems that plague a .0 release also available nearby, at Portage Place, for $5.00 for – sure and steady. the evening. Bicycle parking is available in a bike rack under video surveillance located behind the Red Hat Enterprise Linux 6.1 Released May 19 building on Webb Place. RHEL being a staple for Linux installation in the enterprise has shipped their next point release of the version 6 product line. Updates listed:

1 that are designed to only ask for a • Additional configuration options for advanced password. storage configurations with improvements in FCoE, Datacenter Bridging and iSCSI offload, If you feel comfortable with giving which allow networked storage to deliver the Google your cell phone number, you quality of service commonly associated with can turn on “2-step verification” in directly connected storage your Account Settings – click on • Enhancements in virtualization, file systems, your email address in the upper right scheduler, resource management and high when logged into Gmail. availability • New technologies that enable smoother enterprise Pcc 1.0 Has Been Released deployments and tighter integration with heterogeneous systems “pcc” is a BSD licensed -Compiler that has been gaining some • A technology preview of Red Hat Enterprise popularity and attention in the past Identity (IPA) services, based on the open source year. Not to be confused with the FreeIPA project CLANG project. The recent work on • Support for automatic failover for virtual machines pcc was funded by the BSD Fund and applications using the Red Hat High and the focus was on optimizing the Availability Add-On compiler (already noted for its performance) and having it be able • Integrated developer tools that provide the ability to self host on and compile the kernels (and userland) to write, debug, profile and deploy applications of the BSD’s. This release can now build the userland without leaving the graphical environment and kernel of FreeBSD, NetBSD and OpenBSD base • Improvements to network traffic processing to systems with the Linux kernel compatibility being leverage multi-processor servers that are getting targeted next. increasingly common pcc has been around since the 1970’s, but now has For those not familiar with IPA, “Identity, Policy, and been released with AMD64 support and improved Audit” suite is similar to Novell’s Identity Manager GCC compatibility, thanks to the BSD Fund and pcc and Microsoft’s Active Directory. maintainer Anders Magnusson. Future plans are noted: Gmail Gains Two Factor Authentication A Gmail account can now use a new authentication With a little more help, pcc should run on the key scheme referred to as two-factor authentication. mobile platforms we all carry today. Portability never Basically two-factor authentication is composed of goes out of style and pcc’s permissive licensing makes tokens matching something you know (account it attractive to the widest possible audience." password), and something you have (such as a generated authentication code on a mobile device). Carriers and vendors are unlikely to support this, but Users can now have Gmail send them the persistent programmers and hobbyists seem to live by authentication code via SMS or install an app on their the motto “void your warranty.” We can count on Android, Blackberry, or iPhone to generate the code seeing some interesting applications in the future! themselves. OpenBSD 4.9 Released You have the option of your machine remembering the verification code for 30 days. You can also set up one-time, application-specific passwords to sign in to With little fanfare, OpenBSD 4.9 was released on st your account from non-browser based applications May 1 . The theme art of the release is modelled after the “Hitch Hiker’s Guide to the Galaxy.”

2 The highlights of the release include: 11.04 Natty Narwhal Exposed

• NTFS (read-only) enabled by default in GENERIC There has been a ton of press on the radical changes kernel. Canonical is taking on the distribution of Ubuntu 11.04 (including an article in last month’s newsletter). • vmt(4) driver enabled by default for VMWare tools The chief criticism is in the replacement of the support as a guest (this is a big deal for those GNOME desktop with Unity. Some people really like wanting to utilize and manage OpenBSD VM it and many “old-school” despise it, but you have to hosts). give a nod of respect to Canonical for trying something different. • Lots of usual work and improvements to the network stack and (4) firewall code. If you are moving to this release there is a nice post by Manual Jose going over and linking to a bunch of • Re-audit and validation of the IPsec code (given the useful tidbits on what has changed and how to make “scare” of a back-door which so far has proven to best use of the new features of this release. be FUD). You can check out his post at • Mandoc replacement for and friends finally http://www.techdrivein.com/2011/06/everything- considered stable and part of the release. For more you-need-to-know-about.. information on this check out the BSDTalk podcast (#204) with the authors of this tool Oracle to Hand Over OpenOffice.org (http://bsdtalk.blogspot.com/). to Apache Incubator OpenBSD’s IPsec Backdoor FUD Is Just That... Ever since Oracle acquired Sun, there have been rumours and posturing over the future of A huge bit of media hype surrounded an implication OpenOffice.org. Like the botched handling of by one Gregory Perry that authors of part of the IPsec MySQL, the community of users was very wary of implementation for OpenBSD was subverted with Oracle’s embarrassment of the popular product and back-door code sponsored by the FBI. While many members of the community jumped ship and preposterous, made the accusation forked the project as Libre Office. public and launched an effort to either validate or re- audit the code in question. The reputation of Since then, Oracle has proposed that the OpenBSD and its security & licensing morals are OpenOffice.org IP be “donated” to the Apache what blew this out of proportion, but since every Foundation as part of its Apache Incubator project. accusation must at least be investigated, the media Should this proceed, it would definitely solidify the made a big deal out of what ended up being nothing. licensing and availability of the product (using both LGPLv3+ and MPL liceses) and allow for continued Mikel King has assembled a bunch of articles, the OpenSource contributions while maintaining a original complaint and disclosure, as well as many commercial-friendly status. other posts on this topic. The articles range from well- thought out to absolutely insane, but a good read Network World has posted a good summary article on nonetheless... this proceeding and announcement at: http://www.networkworld.com/community/blog/or http://bsdnews.net/index.php/2010/12/17/bsd-and- acle-proposes-openofficeorg-apache-incubato. the-fbi-sponsored-ipsec-backdoor-yawn/

3 A Simple Yet Effective “First Step” in management issues. All of these vulnerabilities would Locking Down OpenSSH. be entirely hidden from users, but thankfully there are studious folks out there like Mr. Percival who are OpenSSH is the de-facto SSH implementation in use auditing these services. If you want more detail about by almost every product offering an SSH these issues, check out Colon’s blog post on the topic implementation/feature. Over the past year, there have at: http://www.daemonology.net/blog/2011-06-03- been increasingly aggressive attempts to brute force insecurity-in-the-jungle.html accounts on SSH daemons addressable over the internet. These attacks are generally referred to as A Free BSD-Focused Magazine “Hail Mary” brute-force attacks. There are many ways to reduce the effect or frequency of attacks, but In the same vein as Linux Journal, there exists a nice a sure fire way to mitigate the attack is to turn off BSD-focused magazine that just happens to be free! password authentication on the daemon on The articles are well written, come from BSD external/public interfaces and only allow key-based community members and covers all of the BSD’s authentication. Doing this selectively isn’t obvious (relative to article submissions). This month’s issue from the standard installation or sample configuration concentrates on NanoBSD and ALIX, though also has files, so Michael Lucas (of Absolute a nice article on OpenSSL. OpenBSD/FreeBSD fame) has written up a small article on how to do this, which you can get at Aside from an annoying “requires email address http://blather.michaelwlucas.com/archives/818. submission.” the magazine is free to download in PDF format. Check it out at http://bsdmag.org. Another techniques is to packet filter “known miscreants” from even knocking on the port by Inject Some Magic Into Your CLI blocking “known offenders” with the SSH blacklist provided by the folks at OpenBL.org (formerly There are at least a few members in this group that sshbl.org). These folks host a number of SSH servers delight in completing a crazy amount of work in a listening and detecting brute force attempts and puts single command line. Many CLI tools are under-used them in a frequently updated list that can by injected and under-appreciated, but some of us go to into your packet filter (in a “black hole rule”) or by ridiculous lengths to string along tools to do all kinds TCP wrappers via host.deny files. You can check of repetitive tasks that make perl code look readable. them out at http://www.openbl.org. There is a really cool twitter feed which focuses on Either technique by itself is great, but both together CLI tricks named @climagic provide a very strong defence to this increasingly (http://twitter.com/climagic) and while most of the annoying attack vector. tricks focus on Linux shells, there is a lot of good stuff to learn. “The Cloud” Isn’t Always Fluffy and White...

Just when you thought the DropBox debacle was simmering down, Colin Percival (of FreeBSD Security Officer & Tarsnap fame) took a deeper look at the service’s code release. His conclusion is that the folks at Jungle Disk made the distinct decision to focus on ease of use rather than security. The key problem is in how Jungle Disk’s client encrypts their stream and completely avoids message authentication. It also has credential

4